Establish FAST encrypted channel between linux client and windows server

Wed Feb 11 10:24:27 EST 2015

I had not tried ktpass with a computer account before, but the procedure and command line outlined look ok. I would be a little wary of someone accidently deleting the computer account since the password will never be changing and thus appear to be stale to the AD administrator.

If your issue is with ktpass.exe, the author IS using an older version of ktpass.exe and I know that command line parameters have changed somewhat.  Also, AD no longer supports DES enctypes by default, but ktpass assumes that you want to set the account for DES-only enctypes... You could try using "-desonly" or check the computer account for the DES only flag. (Grasping at straws a bit)

ktpass /out testComputer.keytab /mapuser CONTOSO\Computer$ /princ host/computer.contoso.com at CONTOSO.COM /crypto RC4-HMAC-NT /rndpass /ptype KRB5_NT_SRV_HST /mapop set -desonly

I'll note that /crypto has allowed values  {DES-CBC-CRC|DES-CBC-MD5|RC4-HMAC-NT|AES256-SHA1|AES128-SHA1|All}
You might want to use AES instead or include more enctypes with a | 

-Ross

-----Original Message-----
From: Faisal Ali [mailto:faisal.ali.101 at gmail.com] 
Sent: Wednesday, February 11, 2015 4:49 AM
To: Wilper, Ross; kerberos at mit.edu
Subject: Re: Establish FAST encrypted channel between linux client and windows server

http://kerberos.996246.n3.nabble.com/Creating-a-keytab-with-ktpass-under-a-Computer-account-td14074.html

I followed above link to create a computer account on Windows server and generate keytab to be used for first kinit. It doesn't seem to work. Have I employed wrong procedure or was this expected?

--------------
Faisal Ali 

On Mon Feb 09 2015 at 9:20:03 PM Wilper, Ross <rwilper at slac.stanford.edu> wrote:

	I would be interested to see if you can make this work. It's been a while since I've looked into this and did not get very far.

	It sounds like you are on the right path - one of the gotchas is that AD does not seem to support pkinit null, which is what many Kerberos implementations do to create the armor. What Windows machines do is to use the computer account as the armor for the user account logon. This may actually be a requirement (that the armor be a computer account) because the AD KDC wants to have both involved in the logon interaction so as to generate computer and user claims into the resulting ticket. I hope that I am wrong on that.

	-Ross

	-----Original Message-----
	From: kerberos-bounces at mit.edu [mailto:kerberos-bounces at mit.edu <mailto:kerberos-bounces at mit.edu> ] On Behalf Of Faisal Ali
	Sent: Monday, February 9, 2015 5:55 AM
	To: kerberos at mit.edu
	Subject: Establish FAST encrypted channel between linux client and windows server

	I am trying to setup windows server for FAST encrypted channel support to test OTP pre authentication in kerberos.

	I have already tested on linux machine by deploying KDC using krb5-1.12.1 source code, freeradius server and using keytab of service principal to receive armor ccache to be used to establish FAST encrypted channel between client and KDC.

	I have setup windows server 2012 for kerberos, and added support for "KDC support for claims, compound authentication and Kerberos armoring" policy on it. I can receive TGT for service principal. But, when I execute the command "kinit -T <armor-cache> <principal>", KDC does not reply with any padata and no FAST encrypted channel is established (observed through wireshark log and Kerberos library logs).

	Is it possible to establish a FAST encrypted channel between linux client and Windows AD? Have I missed any setting?
	________________________________________________
	Kerberos mailing list           Kerberos at mit.edu
	https://mailman.mit.edu/mailman/listinfo/kerberos <https://mailman.mit.edu/mailman/listinfo/kerberos> 